On Mon, Dec 10, 2007 at 07:07:54PM +0200, Avi Kivity wrote:
> Marcelo Tosatti wrote:
> >There is a race where VCPU0 is shadowing a pagetable entry while VCPU1
> >is updating it, which results in a stale shadow copy.
> >
> >Fix that by comparing the contents of the cached guest pte with the
> >current guest pte after write-protecting the guest pagetable.
> >
> >Attached program kvm_shadow_race.c demonstrates the problem.
> >
> >
>
> Where is it?
Attached.
> >Signed-off-by: Marcelo Tosatti <[EMAIL PROTECTED]>
> >
> >
> >diff --git a/drivers/kvm/paging_tmpl.h b/drivers/kvm/paging_tmpl.h
> >index 72d4816..4fece01 100644
> >--- a/drivers/kvm/paging_tmpl.h
> >+++ b/drivers/kvm/paging_tmpl.h
> >@@ -66,6 +66,7 @@ struct guest_walker {
> > int level;
> > gfn_t table_gfn[PT_MAX_FULL_LEVELS];
> > pt_element_t pte;
> >+ gpa_t pte_gpa;
> >
>
> I think this needs to be an array like table_gfn[]. The guest may play
> with the pde (and upper entries) as well as the pte.
I was working under the assumption that the only significant bits of
upper entries (WRITEABLE and PRESENT) that can be changed by the guest
must be reflected first in the lower level pte's.
Isnt that a fair assumption to make?
> >+ kvm_read_guest(vcpu->kvm, walker->pte_gpa, &curr_pte,
> >sizeof(curr_pte));
> >+
> >+ if (curr_pte != walker->pte)
> >+ return 0;
> >+
> >
>
> 'return NULL'
>
> It would also be preferable to read the pte only if we shadowed the page
> just now. Perhaps pass the pte and the index to kvm_mmu_get_page()
> which would use them as a guard when the page is being shadowed:
>
> if (lookup page succeeds)
> return it
> shadow page
> write protect it
> if (guard check succeeds)
> return it
> else
> return NULL
>
> or perhaps have kvm_mmu_get_page() return an additional bool signifying
> it is a new page. but this is ugly.
>
> >
> >- ++vcpu->stat.pf_fixed;
> >+ if (shadow_pte)
> >+ ++vcpu->stat.pf_fixed;
> >
>
> This is a very rare case; it isn't worth being so accurate maintaining
> the statistics.
>
> --
> error compiling committee.c: too many arguments to function
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mman.h>
#include <sys/time.h>
#include <pthread.h>
struct thread_param {
void *mmaped_region;
int start;
int len;
};
void* do_read(void *arg)
{
char buf[4096];
void *pos, *end;;
struct thread_param *t = (struct thread_param *)arg;
sleep(1);
end = t->mmaped_region + t->len;
for (pos=t->mmaped_region; pos < end; pos += sizeof(buf))
memcpy(&buf, pos, sizeof(buf));
}
#define FLEN 128*1024*1024
int main(void)
{
int fd, err, i;
char buf[4096];
void *mmaped_region;
fd = open("/tmp/largefile", O_RDWR|O_CREAT);
if (!fd) {
perror("failed to create /tmp/largefile");
exit(0);
}
chmod("/tmp/largefile", S_IRUSR|S_IWUSR);
memset(buf, 0xf, sizeof(buf));
for (i=0; i<FLEN; i+=sizeof buf) {
err = write(fd, buf, sizeof(buf));
if (err < 0) {
perror("write");
exit(0);
}
}
mmaped_region = mmap(0, FLEN, PROT_READ|PROT_WRITE, MAP_SHARED, fd,
0);
if (mmaped_region == MAP_FAILED) {
perror("mmap");
exit(0);
}
for (i = 0; i < FLEN; i += FLEN/32) {
pthread_t thread;
struct thread_param *t = malloc(sizeof(struct thread_param));
t->mmaped_region = mmaped_region;
t->start = i;
t->len = FLEN/32;
if (pthread_create(&thread, NULL, do_read, t))
perror("pthread_create");
}
sleep(1);
i = mprotect(mmaped_region, FLEN, PROT_READ);
if (i < 0)
perror("mprotect");
return 0;
}
-------------------------------------------------------------------------
SF.Net email is sponsored by:
Check out the new SourceForge.net Marketplace.
It's the best place to buy or sell services for
just about anything Open Source.
http://sourceforge.net/services/buy/index.php
_______________________________________________
kvm-devel mailing list
kvm-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/kvm-devel
